Configure Shared Android Devices for your Shift Workers
Workspace ONE UEM can be configured to provide your shift workers, and other roles that share devices, access to corporate resources. Different apps, policies, and branding can be provided based on a users role. To ensure user privacy, certain apps can have their app data cleared between user sessions.
There are two prominent ways to configure your shared devices:
Workspace ONE Launcher VMware Workspace ONE UEM Launcher provides a highly customizable experience for your shift workers. You can add custom branding, set app icon positioning, and configure which device settings they should have access to.
Native Android Using Native Android for shared devices supports simpler use cases that do not require as much customization as Launcher. You can create secondary users, use simple branding, implement restrictions, and limit applications.
Example Uses
- Shared Bank Teller Android device in Financial Services
- Shared Nurse Android device in Healthcare
- Shared mobile Point of a Sale Android device in the retail industry.
Prerequisites
This guide assumes you have knowledge of certain workflows in the Workspace ONE UEM console, and have completed certain steps already:
- The Android EMM registration is complete using managed Google accounts.
- Smart groups are already created. If a certain group of users need a different set of policies and/ or apps, separate smart groups are created for them.
- Internal and/ or private apps for your users are added into the Workspace ONE UEM Console.
- Android devices are running OS version 5.0 or higher. For Workspace ONE Launcher, use Android 5.0 or higher. For Native Android, use Android 9.0 or higher.
- User accounts for your users have been added to the Workspace ONE UEM Console.
- Profiles for applying device policies and network configuration should be created and assigned to your users.
Enrollment Configuration
The best option for the shared device use case is to use Work Managed enrollment with device based accounts. This is based on two key assumptions:
- Devices used for shared devices typically do not have a single end user associated with them.
- The enrollment occurs at a central location and then shipped to the location where the devices are used.
Configure Device-based Accounts
Device based accounts is only available when Android EMM is registered using managed Google Accounts.
Device based accounts adds a unique managed Google account on each device, even if the enrollment user is the same. This is important because Google limits how many devices can be used by a single user (limited to 10). With device based accounts, any number of devices can be enrolled with the same user.
To configure device-based accounts in the Workspace ONE UEM console:
- Navigate to Groups & Settings > All Settings > Devices & Users > Android > Android EMM Registration > Enrollment Settings.
- Set the Work Managed Enrollment Type to Device-Based.
Create a Multi-user Staging Account for Enrollment
Enrolling a device using a multi-user staging account sets up the device for shared use. Once you enable multi user devices, you can check in and check out shared Android devices using native Android capability or Workspace ONE Launcher (see sections below for more information on each option). Additionally, the multi-user staging account simplifies bulk enrollment by enabling you to enroll all your shared devices with this account.
To create a multi-user staging account, follow these steps:
Navigate to Accounts > Users > List View > Add User.
Add the Username, Full Name, E-mail, and Password for the account in the General tab.
Enable Multi User Devices under Advanced > Staging.
Choose Native or Launcher under Android Shared Device Mode. If you select Launcher, proceed to select Save.
When you select Native, additional settings display to configure Native Android settings.
Setting Description System Apps Allow end users to access system apps Admin Passcode Mode Specify an alphanumeric passcode to troubleshoot a device in admin mode. Tap the Hub icon on the login screeen 5 times to access admin mode. Confirm Admin Passcode Reenter admin passcode. Select Save
Creating a QR code for Enrollment
To ensure that the enrollment is easy to perform in bulk, the best option is to use a QR code. A QR code can be created within the Workspace ONE UEM console that includes server details, group ID and authentication details. By simply scanning the QR code during the out of box setup, the device enrolls without any further interaction.
To create a QR code in the Workspace ONE UEM console:
Navigate to Lifecycle > Staging > List view.
Select Configure Enrollment.
Navigate to Android > QR Code and select Configure.
Connect the device to Wi-Fi prior to enrollment by enabling the Wi-Fi toggle. This enabling action displays the following options.
Setting Description SSID Enter the Service Set Identifier, more commonly known as the name of the Wi-Fi Network. Password Enter the Wi-Fi password for the entered SSID. Select Next.
Select the Workspace ONE Intelligent Hub to push to devices during staging. The default selection is Use latest Workspace ONE Intelligent Hub. If you do not have an Workspace ONE Intelligent Hub added, select Hosted on an external URL and enter the address in the URL text box to point to an externally-hosted Workspace ONE Intelligent Hub Package.
Select Next.
Set the Enrollment Details settings. To use token-based authentication, leave both options disabled.
Configure Organization Group
Setting Description Organization Group Enable and select the organization group to enroll the device into. Configure Login Credentials
Setting Description Username Enable to configure login credentials. Enter the username of the staging account created earlier. Password Enter the corresponding password for the staging user. Select Next
The Summary page allows you to the download the QR code as a PDF file.
You can use this QR code for enrolling your Android devices into Work Managed mode.
